Password changes ‘too hard for the country’s top minds’ – it’s official

The UK’s new National Cyber Security Centre (www.ncsc.gov.uk) was recently officially opened by the Queen, with a mission to spread good practice among British companies and consumers, and to defend our national infrastructure against outside interference.

On the day of the royal opening, Ciaran Martin, the centre’s chief executive, was interviewed on BBC Radio 4’s Today programme, where anchorman John Humphrys questioned him about all aspects of the NCSC’s work. The conversation focused largely on the threat coming from overseas Governments, notably Vladimir Putin’s Russia, which has been credited with all sorts of cyber attacks during the last few years.

Finally, Humphrys turned to the big problem that everyone has with cyber security: how do I remember all my passwords, especially if I follow the official guidance and change them all regularly. “Bonkers” was how he described it.

Surprising, Martin agreed, and explained why. He said his teams had done some work recently looking at the number of passwords that people have to manage, and concluded: “We worked out that we were asking every British citizen to memorise a new 600-digit number every month. None of my best people can do that!”

So there you have it from the horse’s mouth. Passwords are either too complex to remember, or too easy to guess. And that’s why two-factor authentication is the secure and simple answer. If you can send a one-time passcode to the user’s mobile phone, then he or she is not relying totally on remembering a password. The password doesn’t have to be strong (ie complex) any more, because security no longer relies on it. Simple, effective, safe.